b"U.S. Department of Labor\n\n                                                                     OFFICE OF THE CHIEF \n\n                                                                     INFORMATION OFFICER\n\n\n\n                      Office of Inspector General\xe2\x80\x94Office of Audit\n\n\n\n\n\n                                                                     IMPROVEMENTS NEEDED TO DOL\xe2\x80\x99S CAPITAL\n                                                                     PLANNING AND INVESTMENT CONTROLS FOR\n                                                                     MANAGING INFORMATION TECHNOLOGY\n                                                                     INVESTMENTS\n\n\n\n\n                                                                                            Date Issued:     March 25, 2014\n                                                                                         Report Number:    23-14-009-07-723\n\x0cU.S. Department of Labor                                  March 2014\nOffice of Inspector General\nOffice of Audit                                           IMPROVEMENTS NEEDED TO DOL\xe2\x80\x99S CAPITAL\n                                                          PLANNING AND INVESTMENT CONTROLS\nBRIEFLY\xe2\x80\xa6                                                  FOR MANAGING INFORMATION\n                                                          TECHNOLOGY INVESTMENTS\n\nHighlights of Report Number: 23-14-009-07-723, issued     AUDIT RESULTS\nto the Chief Information Officer.\n                                                          Our audit concluded DOL can improve management of\nWHY READ THE REPORT                                       its IT investments by ensuring controls are timely\n                                                          updated and followed. These actions will provide DOL\nDOL spends about $500 million annually on a portfolio     with better information regarding its IT investments and\nof information technology (IT) investments that support   help it more effectively manage IT investment cost,\nits mission and the delivery of customer services. This   schedule, and performance.\nlevel of spending requires DOL to develop and\nimplement a comprehensive approach to responsible         Of the 15 sampled IT investments we reviewed,\nmanagement of these IT assets. The report highlights      4 investments, costing about $365 million from\nimprovements DOL needs to make that would better          FY 2010 through FY 2012, were not classified as major\nensure these investments are properly managed, stay       investments consistent with DOL policy and were\nwithin budget, and meet DOL program needs.                therefore not subjected to the full range of departmental\n                                                          oversight. Furthermore, 3 of the 15 sampled IT\n                                                          investments were not managed by certified project\nWHY OIG CONDUCTED THE AUDIT                               managers as required by DOL\xe2\x80\x99s System Development\n                                                          Life Cycle Management (SDLCM) manual. Finally, we\nOffice of Management and Budget (OMB) A-11 requires       determined the maturity of DOL\xe2\x80\x99s investment\nthe Department of Labor (DOL) to report on all funding    management process had not surpassed Stage 2 of\nfor IT investments, including IT security. Fully          GAO\xe2\x80\x99s ITIM framework due to a number of factors not\ndocumenting and properly classifying investments          fully present in DOL\xe2\x80\x99s process. Greater maturity within\naccording to DOL policies and procedures is key to        the ITIM framework can strengthen an agency\xe2\x80\x99s overall\nestablishing complete and accurate information for        security posture and help ensure that IT security is\nprioritizing investments based on mission or program      appropriately planned and funded throughout the\nneeds. Implementing strong controls over IT               investment\xe2\x80\x99s life cycle.\ninvestments reduces the risks for cost overruns,\nschedule shortfalls, or outcomes that do not meet         WHAT OIG RECOMMENDED\nbusiness needs or agency mission objectives.\nOversight is a critical component of the investment       We made 3 recommendations to the CIO to: 1) ensure\nmanagement process that ensures investment risks can      all IT investments are identified and included as part of\nbe effectively managed, tracked, and mitigated.           a comprehensive investment management process;\n                                                          2) update DOL IT capital planning and investment\n                                                          control policies, procedures, and documentation; and\nOur audit objective was to answer the following           3) implement an investment management framework\nquestion:                                                 consistent with National Institute of Standards and\n                                                          Technology Special Publication 800-65.\nHas DOL established effective controls to manage the\nIT investment process?                                    The Office of Assistant Secretary for Administration and\n                                                          Management\xe2\x80\x99s Deputy Assistant Secretary for\n                                                          Operations, responding for the Chief Information\n                                                          Officer, stated the Office of the Chief Information Officer\nREAD THE FULL REPORT                                      accepts the recommendations in the audit report and\n                                                          will take appropriate action to update Department-wide\nTo view the report, including the scope, methodology,     policies, processes, and procedures. These corrective\nand full agency response, go to:                          actions are planned for completion in FY 2014.\n\nhttp://www.oig.dol.gov/public/reports/oa/2014/23-14-\n009-07-723.pdf.\n\x0c         U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\x0c                                                       U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\nTable of Contents\n\nInspector General\xe2\x80\x99s Report .......................................................................................... 1\n\n\nResults ........................................................................................................................... 2\n\n\n          Objective - Has DOL established effective controls to manage the IT investment\n\n          process? .............................................................................................................. 2\n\n\n                    DOL\xe2\x80\x99s investment management controls were not applied\n                    uniformly, resulting in inadequate oversight of IT investments\n                    and increased risk of investments not meeting DOL business\n                    or program needs.\n\n          A. DOL Investment Management Controls Were Not Effective ........................... 2\n\n          B. Maturity of DOL's Investment Management at Stage 2 ................................... 8\n\n\nRecommendations ...................................................................................................... 13\n\n\nExhibits\n          Exhibit 1 DOL's 113 Investments ....................................................................... 15\n\n          Exhibit 2 Investments Classified as Non-Major .................................................. 23\n\n          Exhibit 3 Financial Management Investments Classified as Non-major ............. 25\n\n          Exhibit 4 Investments Categorized as Not Applicable ........................................ 27\n\n          Exhibit 5 Investments Missing Significant Portions of CPIC Documentation ...... 29\n\n\nAppendices\n          Appendix A Background ..................................................................................... 33\n\n          Appendix B Objectives, Scope, Methodology, and Criteria ................................ 35\n\n          Appendix C Acronyms and Abbreviations .......................................................... 37\n\n          Appendix D CIO Response to Draft Report ........................................................ 39\n\n          Appendix E Acknowledgements ......................................................................... 41\n\n\x0c         U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n\n                                    CPIC Needs Improvement\n                                  Report No. 23-14-009-07-723\n\x0c                                      U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nU.S. Department of Labor                  Office of Inspector General\n                                          Washington, D.C. 20210\n\n\n\n\nMarch 25, 2014\n\n                               Inspector General\xe2\x80\x99s Report\n\n\n\nT. Michael Kerr\nChief Information Officer\nU.S. Department of Labor\n200 Constitution Avenue, NW\nWashington, D.C. 20210\n\nThe Clinger-Cohen Act requires each federal agency to implement processes for\nmaximizing the value and managing the risks of their information technology (IT)\ninvestments. The Department of Labor (DOL) guides and supports its IT investment\nproject managers through the Capital Planning and Investment Control (CPIC) process.\nAll IT investments must comply with requirements of CPIC and its select, control, and\nevaluate phases. To help project managers comply with the CPIC process, the Office of\nthe Chief Information Officer (OCIO) provides requirements and resources through\nelectronic CPIC (eCPIC) and through a CPIC guide.\n\nAdditionally, the Government Accountability Office (GAO) developed the Information\nTechnology Investment Management (ITIM) framework, which can be used to analyze\ninvestment management processes to determine their level of maturity. For this audit,\nwe used the ITIM framework as a measurement of investment process maturity. This\nmeasurement tool was provided within the National Institute of Standards & Technology\n(NIST) Special Publication (SP) 800-65, which assists federal agencies in integrating IT\nsecurity into the capital planning process by providing a systematic approach to\nselecting, managing, and evaluating IT security investments. This publication provided\nthe investment stages of maturity and identified the critical processes of the life cycle of\ninvestments (see GAO ITIM chart on page 8).\n\nWe conducted an audit to answer the following question:\n\n       Has DOL established effective controls to manage the IT investment\n       process?\n\nOur audit covered DOL\xe2\x80\x99s portfolio of 113 IT investments (see Exhibit 1), which received\n$1.43 billion in funding over Fiscal Years (FY) 2010, 2011, and 2012. For testing, we\njudgmentally selected 15 IT investments by applying 7 risk factors to all 113 IT\ninvestments. These 15 investments represented $725 million, or 51 percent, of the\n$1.43 billion. Our areas of testing included: 1) key controls and performance indicators\nof the IT investment management control processes; 2) IT investment policies and\n\n                                                                          CPIC Needs Improvement\n                                              1                         Report No. 23-14-009-07-723\n\x0c                                     U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nprocedures; 3) defined phases for select, control, and evaluate, investments; 4) key IT\ninvestment classifications not recorded in CPIC documentation for FYs 2010, 2011,\nand 2012; and 5) DOL\xe2\x80\x99s CPIC processes relative to ITIM.\n\nWe conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objective. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our\naudit objective.\n\nRESULTS\n\nObjective - Has DOL established effective controls to manage the IT investment\nprocess?\n\n      DOL\xe2\x80\x99s investment management controls were not applied uniformly,\n      resulting in inadequate oversight of IT investments and increased risk of\n      investments not meeting DOL business or program needs.\n\nA. DOL Investment Management Controls Were Not Effective\n\nDOL policy required monitoring of all major investments whose value exceeded the\nDOL policy specified dollar threshold. However, the selective exclusion of some\ninvestments may have resulted in unreliable measurement of total IT investment\nperformance results and provided limited executive visibility to any high risk CPIC\ninvestment activities.\n\nOur audit found DOL can improve management of its IT investments by ensuring\ncontrols are timely updated and followed, which will result in better information to\neffectively manage IT investment cost, schedule, and performance. DOL demonstrated\na high degree of undocumented discretion in investment oversight and monitoring. This\ndiscretion led to the weakening of DOL\xe2\x80\x99s IT management process resulting in the\nexclusion of investments for management under current policies and procedures; the\nby-passing of controls intended to ensure monitoring took place across all investment\nphases; non-compliance to provide for full public disclosure within the OMB IT\nDashboard; and increased risk that individual investment projects were not being\nprioritized based on mission needs. Without complete and accurate information on all IT\ninvestments, DOL management would not be able to make fully informed decisions or\nfully consider risks.\n\nIn our review of 15 sampled IT investments, we found 4 investments, totaling about\n$365 million from FY 2010 through FY 2012, which were not classified as major\ninvestments per DOL policy and were therefore not subjected to the full range of\noversight by the CPIC process. We also found 3 investments were not managed by\n\n\n\n                                                                CPIC Needs Improvement\n                                            2                 Report No. 23-14-009-07-723\n\x0c                                     U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\ncertified project managers as required by DOL\xe2\x80\x99s System Development Life Cycle\nManagement (SDLCM) manual.\n\nDOL Classification of Investments\n\nWe found 4 investments, totaling about $365 million from FYs 2010 through 2012 that\ndid not follow existing, written DOL IT investment management controls or DOL policy\nrequirements for monitoring major investments. Those investments were:\n\n   \xe2\x80\xa2\t DOL Agency General Support System (AGSS)\n   \xe2\x80\xa2\t The Office of the Assistant Secretary for Administration and Management\n\n      (OASAM) DOL IT Infrastructure Modernization (DITIM)\n\n   \xe2\x80\xa2\t Bureau of Labor Statistics (BLS) Technical Management & Strategic\n\n      Activities (TMSA)\n\n   \xe2\x80\xa2\t OASAM Acquisition Management System (AMS)\n\nWe identified inconsistent IT investment classifications. The DOL policy to identify and\nclassify major IT investments was not followed. Specifically, the IT Capital Planning and\nInvestment Control Guide: Managing IT Investments, version 2.1, October 2011 (CPIC\nGuide) required all high-value IT investments be subjected to increased oversight\nbecause of their significant cost and potential risk to the government. This policy\nrequired monitoring of all major investments more than the DOL CPIC policy-specified\ndollar threshold. The CPIC Guide stated that any IT investment with annual costs at or\nabove $5 million each year should be classified as a major investment.\n\nDOL\xe2\x80\x99s portfolio of investments was annually reported to OMB within DOL\xe2\x80\x99s submission\nof the OMB Exhibit 53. The Exhibit 53 must demonstrate the agency\xe2\x80\x99s management of\nIT investments and how governance processes were used to plan, select, develop,\nimplement, and operate IT investments. This documentation was used to manage the\nplanning, development, implementation, and operation of IT investments and\ndocuments that demonstrate the outcomes of agency, branch, and bureau governance\ndecisions and should be maintained and be available on request. For the IT investment\nportfolio reported in the Exhibit 53, the OMB Exhibit 300 described the justification,\nplanning, and implementation of an individual capital asset included in the agency IT\ninvestment portfolio and served as a key artifact of the agency\xe2\x80\x99s EA and IT capital\nplanning processes. The Exhibit 300 was comprised of two components--300A and 300B.\nThe Exhibit 300A provided key high-level investment information to inform budget\ndecisions, including general information and planning for resources, such as staffing and\npersonnel. The Exhibit 300B provided temporal information, related to tracking\nmanagement of an investment, such as projects and activities, risks, and operational\nperformance of the investment. We compared DOL\xe2\x80\x99s OMB Exhibit 53 reports to its\ninvestment portfolio listings for FYs 2010 through 2012 and identified discrepancies for\n9 investments within specific FYs that were classified as non-major in DOL\xe2\x80\x99s IT portfolio\n(see Exhibit 2).\n\n\n                                                                CPIC Needs Improvement\n                                            3                 Report No. 23-14-009-07-723\n\x0c                                               U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nAlso, financial management systems were classified as non-major investments.\nAccording to the CPIC Guide, all investments for financial management systems1\ncosting $500,000 or more each year are required to be classified as major. We\nreviewed all 15 of DOL\xe2\x80\x99s financial management investments2 and identified investments\nmore than $500,000 that should have been classified as major, but were not. We\ndetermined that 5 investments, valued at $50.3 million, had been classified as\nnon-major in DOL\xe2\x80\x99s IT portfolio (see Exhibit 3).\n\nSpecifically, there were two investments, 3 totaling $293.9 million, which were not always\nmanaged using CPIC and did not always use eCPIC per DOL\xe2\x80\x99s policies and guidance\n(see Exhibit 4). These two investments were not categorized in the select, control, or\nevaluate phases, but were instead identified as not applicable. The OCIO stated an\nalternative process to CPIC was used for these investments, but this alternative process\nwas not documented. The OCIO also stated these investments were not subject to a full\nlevel of CPIC processes and oversight because they were not categorized as major\ninvestments. Not following the existing DOL IT investment management controls, such\nas documenting the select, control, and evaluate phases, resulted in inconsistent\napplication of existing IT portfolio management policies and processes.\n\nCPIC officials also stated:\n\n        For the President's Budget, EA [Enterprise Architecture], IT capital\n        planning, and CIO function investments are not categorized as major\n        investments and an Exhibit 300 is not required for them. ...TMSA is an EA\n        and/or Capital Planning investment and therefore was not subject to the\n        full Exhibit 300 level of CPIC processes and oversight.\n\nCPIC officials explained that since OMB reporting instructions did not include EA\ninvestments, these types of investments were not to be included in the established\nCPIC process or subjected to CPIC controls. The OMB instructions provided by CPIC\nofficials stated external reporting for CPIC activities was not required with Exhibit 300\nreporting for major investments for FY 2013 and following FYs. However, according to\nOMB A-11 instructions, DOL was required to monitor the performance of these activities\nthrough internal monitoring and internal documentation. Exclusion from OMB reporting\nwas permitted for FY 2013 due to the 2012 published FY2013 OMB Guidance on\nExhibits 53 and 300s, which stated:\n\n        \xe2\x80\xa6 EA, IT capital planning, and CIO function investments are not\n        categorized as major investments and an Exhibit 300 is not required for\n\n1\n  OMB Circular A-127 defines a financial system as an information system that may perform all financial functions\n\nincluding general ledger management, funds management, payment management, receivable management, and cost\n\nmanagement. Other uses include supporting financial planning, budgeting activities, and preparing financial\n\nstatements. \n\n2\n  DOL OCIO listed 15 financial management systems in the Cyber Security Assessment and Management (CSAM) \n\ntool between FY2010 and FY2013.\n\n3\n  DOL AGSS is a sub-agency individually managed general support systems and IT Infrastructure investment. BLS\n\nTMSA is an investment that provides administrative support to the various IT offices within BLS.\n\n\n                                                                                CPIC Needs Improvement\n                                                        4                     Report No. 23-14-009-07-723\n\x0c                                    U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n      them. Any capital planning and investment control process investments\n      may be reported separately in this section.\n\nWe believe DOL misinterpreted the reporting exclusion for monitoring EA\ninvestments in FY2013. OMB did not instruct to exclude investments within FY\n2011 and FY 2010, but did instruct to exclude external EA reporting in FY 2013.\nOMB did not provide instruction excluding the performance of monitoring or\ncontinued use of internal investment controls on EA investments covering this\nthree year period.\n\nOMB Circular A-11 requires IT investment reports to be provided in accordance\nwith the Clinger-Cohen Act. OMB A-11 states:\n\n      Investment costs and performance benefits must be formulated and\n      reported in order to support the Clinger-Cohen Act's requirement that the\n      OMB Director shall submit to Congress a report on the net program\n      performance benefits achieved as a result of major capital investments\n      made by executive agencies in information systems and how the benefits\n      relate to the accomplishment of the goals of the executive agencies.\n\nMore specifically, the Guide to OMB Circular A-11 also states:\n\n      As agencies continue to utilize EA to model performance, business\n      processes and services, decision makers must create clear line-of-sight\n      relationships between investments in capital assets and specific\n      components in the EA. For example, the business case for a capital asset\n      must document the specific performance measures that are affected by\n      the investment and how those measures are affected. The same clarity\n      should exist for business processes, services delivered and data managed\n      by a capital asset.\n\nAdditionally, DOL policy required monitoring of all major investments whose value\nexceeded the DOL policy-specified dollar threshold. However, the DOL CPIC policies\ndid not include the updated FY 2013 OMB-instructed exclusions to EA investments.\nDOL\xe2\x80\x99s CPIC Guide required management of the full IT portfolio. OMB\xe2\x80\x99s updated\ninstructions did not instruct DOL to exclude management of EA activities; rather, OMB\ninstructed not to report on EA in FY 2013. Selectively excluded investments may result\nin not effectively measuring the total investment performance results against the EA and\nprovide limited executive visibility to any high risk CPIC investment activities.\n\nAnother two investments were missing OCIO-required CPIC documentation (see\nExhibit 5). Significant portions and projects within OASAM DITIM and OASAM AMS\ninvestments remained undocumented. In our tested investments, the three control\nphases were not timely updated within documentation and did not correctly document\nchanges to investment select, control, or evaluate phases. The parts missing from these\ninvestments were:\n\n\n                                                               CPIC Needs Improvement\n                                           5                 Report No. 23-14-009-07-723\n\x0c                                                 U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n    1)\t OASAM DITIM \xe2\x80\x93 The investment totaled $59.8 million between FY 2010 \n\n        and FY 2012. The project management plan described this investment as\n\n        having 9 major IT infrastructure silos4 with a shared information \n\n        environment. Three of the 9 silos were identified as support functions. For \n\n        these 3 silos, management did not provide documentation to support\n\n        critical CPIC activities, such as quarterly, annual, and scorecard reviews\n\n        performed at any time between FY 2010 through Quarter 1 of FY 2013.\n\n        The 3 silos were:\n\n\n             \xe2\x80\xa2\t IT Modernization Program Management (ITMPM)\n             \xe2\x80\xa2\t IT Modernization Change Management (ITMCMP)\n             \xe2\x80\xa2\t IT Modernization Enterprise Architecture (ITMEA)\n\n         2) OASAM AMS \xe2\x80\x93 The investment totaled $11.4 million between\n            FYs 2010 and 2012, with the baseline 5 being reported to OMB in\n            FY 2012. DOL\xe2\x80\x99s select phase policies stated that baseline\n            documentation and artifacts should have been provided in eCPIC in\n            order to create the baseline reported and included in OMB Exhibit 53\n            and OMB Exhibit 300 materials. 6 No baseline documentation was in\n            eCPIC and limited documentation was provided for FY 2011 for\n            planning the baseline. The final DOL-approved baseline\n            documentation did not occur until June 2013. The select phase for this\n            investment lasted through the duration of 3 fiscal years with minimal\n            select phase oversight on IT spending. The DOL OCIO CPIC group\n            explained that the AMS acquisition contract was contested through the\n            identified years; however, development-related spending was not\n            suspended or tracked with a defined baseline to provide investment\n            risk management. Delays from the contested contract award were not\n            documented either within the risk registry documentation or within the\n            WBS documentation. 7 Also, significant funding adjustments were not\n            documented within eCPIC or associated select phase documentation,\n            as required. This lack of documentation resulted in a misstatement to\n4\n  A silo is an information system that is unable to freely communicate with other information management systems.\nCommunication within an information silo is always vertical, making it difficult or impossible for the system to work\nwith unrelated systems. Information silos may also exist because managers control the flow of information and\naccess to the silo indicating an incentive exists for maintaining status quo.\n5\n  Per FAR Subpart 34.2 and OMB\xe2\x80\x99s Capital Programming Guide, a supplement to Circular A-11, Part 7, agencies\nshall implement an Integrated Baseline Review (IBR) or baseline validation process as part of an overall investment\nrisk management strategy. As part of this process, requested adjustments to an existing investment baseline\n(i.e. \xe2\x80\x9crebaselining\xe2\x80\x9d) should only be made if the program manager can demonstrate a high probability of success and a\nbenefit-cost result that justifies continued funding after comparison with the other alternatives in the portfolio and\nbudget limitations.\n6\n  The information contained within Exhibit 53 and 300 reports over multiple reporting periods is used by OMB to\ncontinually provide the U.S. public government-wide investment information through the website:\nhttp://www.itdashboard.gov.\n7\n  OMB A-11 Capital Planning Guide states the Work Breakdown Structure (WBS) is an integrated family tree that\ndefines all the products and services comprising the investment program. The WBS provides the framework for\nestimating the program's cost and risk during the pre-systems acquisition planning and for developing the program\nschedule.\n\n                                                                                   CPIC Needs Improvement\n                                                          6                      Report No. 23-14-009-07-723\n\x0c                                     U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n          OMB for reporting the baseline status, and in June of 2013 a revision\n          to the OMB IT Dashboard was made to reflect the DOL-approved\n          baseline.\n\nCPIC officials stated the CIO had discretion in managing the investments and this\ndiscretion allowed for the removal of investments from the CPIC process and classifying\ninvestments outside the documented policy and procedures. Discretion may have been\nused by the CIO to remove investments from the existing CPIC process and to classify\ninvestments contrary to policy and procedures. However, there were no existing policies\nor procedures that permitted and guided unilateral or coordinated discretion by the CIO.\n\nThis high degree of undocumented discretion has led to the weakening of DOL\xe2\x80\x99s IT\nmanagement process, which resulted in: the exclusion of investments for management\nunder current policies and procedures; the by-passing of controls intended to ensure\nmonitoring took place across all investment phases; non-compliance to provide for full\npublic disclosure within the OMB IT Dashboard; increased risk that individual\ninvestment projects were not being prioritized based on mission needs and\nimprovement priorities; the use of uncertified project managers; and potential risks of\nDOL not meeting business or program needs.\n\n\nIT Investments Identified With Non-Certified Project Managers\n\nWe found three DOL IT Investments, EFAST2, AGSS, and TMSA, which were not\nmanaged by certified project managers. Without use of certified project management,\nDOL did not ensure that investments were consistently monitored and that investment\nrisks were fully reported by trained personnel.\n\nThe Employment Benefits and Security Administration\xe2\x80\x99s (EBSA) project manager was\nnot certified as required by DOL\xe2\x80\x99s SDLC Management (SDLCM) manual. The project\nmanager\xe2\x80\x99s investment was classified as major and funded for $42.5 million from\nFYs 2010 to 2012. While the project manager attempted to obtain a waiver in 2009, no\nresponse was received from the OCIO and no program agency follow-up was ever\nconducted on the status of the waiver with OCIO. Additionally, there were two\ninvestments improperly classified that had non-certified project management\nprofessionals. Due to DOL AGSS ($276.2 million) and TMSA ($17.7 million) not being\nproperly classified, management did not apply the major investment requirement to\nhave a certified project management professional overseeing these investments. If\nthese investments had been managed within the CPIC process, they would have been\nrequired to be managed by certified project management professionals.\n\nOMB Memorandum for Chief Acquisition Officers on April 25, 2007, The Federal\nAcquisition Certification for Program and Project Managers, states:\n\n      Well-trained and experienced program and project managers are critical to\n      the acquisition process and the successful accomplishment of mission\n\n\n                                                                CPIC Needs Improvement\n                                            7                 Report No. 23-14-009-07-723\n\x0c                                                U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n        goals. A strong partnership between program and project managers and\n        contracting professionals requires a common understanding of how to\n        meet the government\xe2\x80\x99s needs through acquisitions that deliver quality\n        goods and services in an effective and efficient manner.\n\nEnsuring well-trained and experienced program managers lead IT investment oversight\nreduces potential risks for cost overruns, schedule shortfalls, or outcomes that do not\nmeet business needs or agency mission objectives.\n\nNIST SP 800-65, Integrating IT Security into the Capital Planning and Investment\nControl Process, required the adherence to GAO\xe2\x80\x99s best practices, three-phased\ninvestment life-cycle model for federal IT investments. NIST SP 800-65 included the\nGAO ITIM five-stage framework maturity model in section 2.4 Information Technology\nInvestment Management. These required critical processes 8 were used in testing DOL\xe2\x80\x99s\ninvestment management processes for maturity.\n\n\nB. Maturity of DOL\xe2\x80\x99s Investment Management at Stage 2\n\nWe assessed DOL\xe2\x80\x99s CPIC and investment management processes against GAO\xe2\x80\x99s ITIM\nframework and found DOL\xe2\x80\x99s CPIC processes were at Stage 2, Building the Investment\nFoundation. A fully utilized investment management framework can produce more\nconsistent IT investment results. These results include: minimizing the risk of not\nmeeting mission needs, reducing cost-overruns, and may consistently produce more\ntimely results. The use of an effective maturity framework can mature an organization\xe2\x80\x99s\ninvestment planning and management decision making capabilities.\n\nNIST SP 800-65 provides methodology for managing investments through GAO\xe2\x80\x99s ITIM\nmaturity framework. This framework presented in NIST guidance is referred to as a\nmodel methodology. Agencies should work within their investment planning\nenvironments to adapt and incorporate the pieces of this process into their own unique\nprocesses to develop workable approaches for CPIC. If incorporated into an agency\xe2\x80\x99s\nprocesses, the methodology can help ensure that IT security is appropriately planned\nfor and funded throughout the investment\xe2\x80\x99s life cycle, thus strengthening the agency\xe2\x80\x99s\noverall security posture. The maturity stages of ITIM are shown in the following chart.\n\n\n\n\n8\n NIST SP 800-56 provided the ITIM framework for defining the critical processes and key practices for investment\nmanagement. NIST directed agencies to use GAO-04-394-G, Information Technology Investment Management, A\nFramework for Assessing and Improving Process Maturity, Version 1.1, March 2004.\n\n                                                                                 CPIC Needs Improvement\n                                                         8                     Report No. 23-14-009-07-723\n\x0c                                              U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nEach stage of maturity builds upon the lower stages and enhances an organization\xe2\x80\x99s\nability to manage its IT investments. According to the GAO framework, the organization\nassessed cannot achieve the next stage of maturity should there be weaknesses\nidentified in the previous stage. Although we identified weaknesses in CPIC and eCPIC\ncontrols, we determined the maturity of DOL\xe2\x80\x99s CPIC process for IT investments was\nconsistent with Stage 2 maturity, Building the Investment Foundation. We made this\ndetermination because of insufficient monitoring to ensure the CPIC and eCPIC controls\nwere applied to all IT investments. Adequate monitoring would have provided increased\ncompleteness of the information and accuracy of the data and adherence to established\npolicies and procedures. WBSs were either not documented or not fully documented,\nsuch as security cost information not being included.\n\nFurther, because DOL investment management had not developed a complete\ninvestment portfolio and instead used other alternative, non-documented processes,\nadvancement to higher stages within the ITIM framework was also prohibited.\nAdditionally, program agency investment managers\xe2\x80\x99 WBSs were either not documented\nor were not fully documented in 7 of 15 investments reviewed. 9 Finally, DOL\xe2\x80\x99s\nEnterprise Implementation Committee did not document any results of their IT\ninvestment-related meetings and decisions for FY 2012.\n\nAt Stage 1 maturity, Creating Investment Awareness, DOL had a defined and\ndisciplined investment processes. DOL created a specified group, the OCIO CPIC\ngroup, tasked to assist agencies and project managers in performing investment\nmanagement activities and to assist in reporting investment performance results to\n\n\n9\n  Investments\xe2\x80\x99 Work breakdown Structure (WBS) were not provided or were missing vital information from these\ninvestments: EBSA EFAST2, OCFO PeoplePower, DOL IT Infrastructure Modernization, DOL AGSS, Mine Safety\nand Health Administration (MSHA) Mine Safety Information System (MSIS), SOL IT Modernization, and OASAM\nAMS.\n\n                                                                               CPIC Needs Improvement\n                                                       9                     Report No. 23-14-009-07-723\n\x0c                                                U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nOMB. Furthermore, DOL defined critical ITIM processes through the following policies\nand procedures, which program agencies were to follow and consistently apply:\n\n     \xe2\x80\xa2   eCPIC Guide v 2.1 Oct 2011\n     \xe2\x80\xa2   SDLCM Manual\n     \xe2\x80\xa2   DLMS 9 \xe2\x80\x93 Chapter 200\n     \xe2\x80\xa2   Earned Valued Management Policy\n     \xe2\x80\xa2   DOL Exhibit 53 Instructions\n     \xe2\x80\xa2   DOL Exhibit 300 Guide\n     \xe2\x80\xa2   Baseline Management Guide v.1\n     \xe2\x80\xa2   Investment Review Requirement\n\nHowever, for Stage 2, we found DOL\xe2\x80\x99s ITIM processes were only partially completed,\ncontained significant gaps, or were not fully implemented. Specific examples of\nweaknesses in critical DOL CPIC processes included the following:\n\nPost Implementation Review (PIR) not performed and overlooked \xe2\x80\x93 Of the investments\ntested by OIG, a PIR for one of two investments in the evaluate phase was not\nperformed by program agency investment management. PIRs were to be performed to\ndocument effective IT investment management practices, to ensure continuous\nimprovement in IT Investment decision and management processes, and to help avoid\nrepeating mistakes in future IT projects. For example, DOL\xe2\x80\x99s FY 2013 IT Investment\nReview Requirements, dated February 20, 2013, required PIRs to be performed within\n12-18 months of full system implementation. Once the OCIO approved PIRs, as well as\nother control phase requirements, the investments were to change from the control\nphase to the evaluate phase. We found that a PIR had not been performed for one of\ntwo 10 investments in the evaluate phase. Specifically, the Office of Public Affairs (OPA)\nwas not able to provide a completed PIR for the Enterprise Communications Initiative\n(ECI) Investment. At the time of OIG testing, the ECI investment had been in the\nevaluate phase for over 18 months. According to CPIC policies, this investment should\nnot have been moved to the evaluate phase until the PIR had been submitted and\napproved by the OCIO.\n\nNon-performance of Cost Benefit Analysis and Incomplete Analysis of Alternatives\xe2\x80\x93 Of\nthe investments tested, 7 of 15 were found to be deficient. DOL guidance requires each\ninvestment to have a Cost Benefit Analysis (CBA) that requires at least 3 viable\nalternatives be evaluated and compared consistently, detail the cost and benefits for\neach alternative, and provide a detailed justification for the selected alternative.\n\nOf the seven investments reviewed, three did not have a CBA in place. 11 Four other\ninvestments had CBAs, but were outdated to the extent the documented alternatives\n\n\n\n10\n   We selected 15 investments to review for compliance with Departmental Capital Planning policies and procedures.\n\nOf the 15 investments selected for review, two investments were in the Evaluate phase.\n\n11\n   Investments without a CBA included DOL AGSS, BLS TMSA, and OASAM AMS.\n\n\n                                                                                 CPIC Needs Improvement\n                                                        10                     Report No. 23-14-009-07-723\n\x0c                                                 U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\ncould no longer be relied upon. 12 For example, the CBA for the Office of the Chief\nFinancial Officer\xe2\x80\x99s (OCFO) New Core Financial Management System (NCFMS) referred\nto retired information systems, such as the DOL Accounting and Related System and\nNCFMS Lean, retired in 2010 and 2006, respectively, which were no longer considered\nrealistic or reasonable alternatives.\n\nFurthermore, three 13 CBAs did not consider disposition costs or inconsistently included\ndisposition costs for some of the presented alternatives. This resulted in inconsistent\ncomparison of the documented alternatives and potentially resulted in the selection of a\nless cost effective alternative. As a result of these CBA deficiencies, decision makers\nwere not provided with a complete analysis of alternatives, requirements, costs, and\nbenefits. Without a complete and accurate analysis of the project, senior management\nwas hampered in their ability to make an informed decision to continue funding these\nspecific projects and the overall investments. Furthermore, incorrect analysis may have\nlead senior management to approve projects at risk for cost overruns, not meeting\ngoals, or not being completed within schedule.\n\nRisk management activities not performed and incomplete \xe2\x80\x93 Of the investments tested,\n8 of 15 had poorly documented and inconsistently maintained investment risk\nmanagement processes. The DOL risk management process required a risk register to\nbe developed for each investment in order to capture, track, and prioritize the individual\nproject risks based on the probability and impact of risk materialization. The risk register\nshould include a list of lessons learned that was required to be actively managed and\nupdated on an ongoing basis.\n\nOf the 8 investments with deficiencies, 2 14 did not have required, documented risk\nregisters. Furthermore, we found 5 investments 15 that had risk registers that were not\nbeing updated on a consistent basis. OPA\xe2\x80\x99s ECI did not address all 19 required risk\nareas. 16\n\nNot documenting risks impacted DOL\xe2\x80\x99s risk management process and capability to\nmonitor defined risks to the point that risks may not have been effectively identified,\nmanaged, tracked, or mitigated. Also, without a complete risk register that identifies how\nproject staff will respond to specific risks, DOL may not be able to properly respond to\nunplanned incidents or to remediate project risks, which may contribute to cost\noverruns, schedule shortfalls, and an investment\xe2\x80\x99s inability to perform as expected.\n\n\n12\n   Investments that had a CBA, but whose CBA was so outdated the documented alternatives could no longer be\n\nrelied upon, included: OCFO NCFMS, MSHA MSIS, SOL IT Modernization Investment, and DOL DITIM.\n\n13\n   Investments with inconsistent consideration of disposition costs included: OCFO NCFMS, SOL IT Modernization\n\nInvestment, and OASAM AMS.\n\n14\n   Investments that did not provide documented risk registers included: BLS TMSA and DOL AGSS.\n\n15\n   The five investments whose risk registers were not updated on a consistent basis, including not updating the \n\nlessons learned portion of the risk register, included: Occupational Safety and Health Administration OSHA \n\nInformation System , SOL IT Modernization, OASAM AMS, WHD WDS, and OCFO NCFMS.\n\n16\n   Review of OPA ECI investment\xe2\x80\x99s risk register resulted in 7 of 19 risk areas not being documented or considered.\n\nThose 7 risk areas not considered were asset protection consideration, overall risk of project failure, project\n\nresources/financial, technical, business/operational, organizational and change management, and strategic risks.\n\n\n                                                                                   CPIC Needs Improvement\n                                                         11                      Report No. 23-14-009-07-723\n\x0c                                                U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nEarned Value Management (EVM) or Operational Analysis was not performed on tested\ninvestments \xe2\x80\x93 In 2004, the OCIO issued guidance on its EVM policy establishing dollar\nthresholds for which major IT projects must implement EVM or, if not required to\nimplement EVM, should perform an Operational Analysis. 17 We reviewed all\ninvestments to determine if EVM had been implemented or if an Operational Analysis\nhad been performed and determined 3 of 15 investments could not provide evidence of\nhaving implemented EVM or performed an Operational Analysis. 18 Furthermore, we\nnoted one of the investments, the OCFO PeoplePower investment, provided an\nOperational Analysis, but no cost or schedule variances were included in the analysis.\nThe OCFO stated no variances had been calculated since FY 2011 because the\ninvestment is in a steady state and is due to be decommissioned in FY 2014. While the\nOIG agrees the investment\xe2\x80\x99s spending has been consistent for the last few years and it\nwill soon be decommissioned, OCIO guidance requires an Operational Analysis to be\nperformed until the investment is decommissioned or no longer meets the EVM dollar\nthreshold. Improperly recording the project\xe2\x80\x99s cost and schedule variances hamper\nmanagement\xe2\x80\x99s ability to take corrective actions against cost and schedule overruns\nbefore tasks are completed.\n\nCapital Planning resources were inconsistently tracked or documented \xe2\x80\x93 DOL\xe2\x80\x99s\nComputer Security Handbook contains policies and procedures to ensure information\nsecurity is addressed in the capital planning and investment process. OCIO required\nprogram agencies to record information security resource funding allocations within the\nindividual investment\xe2\x80\x99s Project Plan, or Work Breakdown Structure (WBS). We identified\n4 of 15 investments19 that did not contain verifiable information or a discrete line item for\ninformation security. This was mostly due to incomplete information provided by the\nprogram agencies in completion of its Project Plans or WBS. Without properly tracking\nIT security funding, DOL is unable to ensure funding for critical security needs remains\ncost effective, is well-planned, and adequately considered for making critical investment\ndecisions.\n\nAs DOL strives to improve critical CPIC processes to higher levels of maturity, the\nweaknesses identified in earlier stages of the ITIM framework must be resolved. Also,\nnot fully performing and following required CPIC activities resulted in incomplete or\nincorrect information for investment decision-making and oversight.\n\n\n\n\n17\n   OCIO Guidance for the DOL Earned Value Management System Methodology, dated September 27, 2004,\n\nrequires major investments in the operational or \xe2\x80\x9csteady state\xe2\x80\x9d phase where EVMS is not required to use operational\n\nanalysis to determine how close the investment is to meeting its operational cost, schedule and performance goals.\n\n18\n   The OCFO NCFMS investment could not provide evidence of performing EVM or Operational Analysis; the WHD\n\nWDS investment could not provide evidence of Operational Analysis from FY 2010 to FY 2012; and the MSHA MSIS\n\ninvestment could not provide evidence of performing an Operational Analysis in 2010.\n\n19\n   Those investments in which we were unable to verify that a discrete line item for IT security testing had been \n\nestablished included: OASAM AMS, BLS TMSA, DOL AGSS, and DOL DITIM.\n\n\n                                                                                  CPIC Needs Improvement\n                                                        12                      Report No. 23-14-009-07-723\n\x0c                                     U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nRECOMMENDATIONS\n\nWe recommend the CIO:\n\n1. Perform a DOL-wide review of the IT Portfolio and the Investment Management\nProcess to verify classification of all IT investments meets DOL\xe2\x80\x99s policies and\nprocedures.\n\n2. Update IT capital planning and investment control policies, procedures, and\ndocumentation to reflect and clarify: (a) use of the capital planning tool, and (b) the\ncomprehensiveness of the investment management process and enforcement to\nmaintain required eCPIC documentation for critical processes involving select, control,\nand evaluate phases.\n\n3. Implement an investment management framework consistent with NIST SP 800-65\nand which aligns with GAO\xe2\x80\x99s ITIM maturity framework to strengthen DOL\xe2\x80\x99s approach to\nIT investment management.\n\nCIO\xe2\x80\x99S RESPONSE\n\nThe Office of Assistant Secretary for Administration and Management\xe2\x80\x99s Deputy\nAssistant Secretary for Operations, responding for the Chief Information Officer, stated\nthat the Office of the Chief Information Officer accepts the recommendations in the audit\nreport and will take appropriate action to update Department-wide policies, processes\nand procedures. These corrective actions are planned for completion in FY 2014. See\nAppendix D for the CIO\xe2\x80\x99s entire response.\n\nWe appreciate the cooperation and courtesies OCIO personnel extended to the OIG\nduring this audit. OIG personnel who made major contributions to this report are listed in\nAppendix E.\n\n\n\n\nElliot P. Lewis\nAssistant Inspector General\n for Audit\n\n\n\n\n                                                                CPIC Needs Improvement\n                                           13                 Report No. 23-14-009-07-723\n\x0c            U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nExhibits\n\n\n\n\n\n                                       CPIC Needs Improvement\n                  14                 Report No. 23-14-009-07-723\n\x0c                                               U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nExhibit 1\nDOL\xe2\x80\x99s 113 Investments\n\nAll costs were extracted as reported from DOL\xe2\x80\x99s OMB Exhibit 53 and rounded to two\ndecimal places. 20\n\n                                                                                                       Total\n                                                                                                     FY 2010 to\n                                                       FY 2010    FY 2011    FY 2012\n                                                                                                      FY 2012\n       Agency            CPIC Investment                Actual     Actual     Actual\n                                                                                                       Actual\n                                                         Cost       Cost       Cost\n                                                                                                       Costs\n                                                      (millions) (millions) (millions)\n                                                                                                     (millions)\n                    ALJ Case Tracking System\n1         ALJ\n                    (CTS)\n                                                           $1.58        $1.87           $1.61            $5.06\n                    American Time Use Survey\n2         BLS\n                    Systems\n                                                           0.32          0.78            0.79             1.89\n                    Compensation and W orking\n3         BLS       Conditions Activities &                0.17          0.18            0.19             0.54\n                    Systems\n                    Consumer Expenditure and\n4         BLS\n                    Information Systems\n                                                            3.4          3.35            3.38            10.13\n                    Consumer Price Index (CPI)\n5         BLS\n                    Maintenance\n                                                           12.73        12.47           15.08            40.27\n                    Current Employment\n6         BLS\n                    Statistics (CES) Maintenance\n                                                           7.07          5.71            5.71            18.49\n                    Current Population Survey\n7         BLS\n                    (CPS) Maintenance\n                                                           1.06          1.15            1.16             3.38\n                    Employment Projections\n8         BLS\n                    Systems\n                                                           0.15          0.15            0.15             0.46\n                    Employment and\n9         BLS       Unemployment Statistics                0.81          0.21            0.21             1.24\n                    Cross-Cutting Activities\n\n10        BLS       Executive Direction Activities         0.20          0.15            0.16             0.51\n                    Industrial Prices Systems\n11        BLS\n                    (IPS)\n                                                           15.87        16.03           16.15            48.04\n                    Internet Data Collection\n12        BLS\n                    Facility (IDCF)\n                                                           1.25          1.78            1.79             4.82\n                    Job Openings and Labor\n13        BLS\n                    Turnover Statistics Systems\n                                                           0.07          0.17            0.17             0.41\n\n\n  All funding was based on OMB Exhibit 53s from: Budget Year (BY) 2014 submitted on September 10, 2012,\n20\n\nBY 2013 submitted on May 2, 2012, and BY 2012 submitted on May 24, 2011. The BY occurred from October 1 to\nSeptember 30 of the following year and was submitted by each federal agency to OMB prior to October. The May\nsubmissions also contained approved budget passback information provided from OMB to DOL. The May\nsubmissions updated the original proposed budgets submitted to OMB in September of the previous year. BY 2014\ndid not include May passback information in the list of 113 investment information provided.\n\n                                                                               CPIC Needs Improvement\n                                                      15                     Report No. 23-14-009-07-723\n\x0c                                         U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                                         Total\n                                                                                       FY 2010 to\n                                                FY 2010    FY 2011    FY 2012\n                                                                                        FY 2012\n     Agency       CPIC Investment                Actual     Actual     Actual\n                                                                                         Actual\n                                                  Cost       Cost       Cost\n                                                                                         Costs\n                                               (millions) (millions) (millions)\n                                                                                       (millions)\n14    BLS     LABSTAT Maintenance                   4.87       5.20         5.23           15.3\n              Local Area Unemployment\n15    BLS\n              Statistics Systems\n                                                    1.90       2.98         3.01           7.89\n              Management Information\n16    BLS\n              System\n                                                    2.59       2.69         2.70           7.98\n              Mass Layoff Statistics\n17    BLS\n              Systems\n                                                    1.08       0.90         0.91           2.89\n\n18    BLS     Measuring Green-Collar Jobs           0.08       0.15         0.22           0.44\n              National Compensation\n19    BLS\n              Survey (NCS) Maintenance\n                                                    6.44       6.54         5.70          18.68\n              National Longitudinal Surveys\n20    BLS\n              Systems\n                                                    0.00       0.00         0.00           0.01\n              Occupational Employment\n21    BLS\n              Statistics Systems\n                                                    2.47       1.13         1.13           4.73\n              Occupational Safety & Health\n22    BLS\n              Statistics (OSHS) Systems\n                                                    3.29       3.12         3.14           9.55\n              Planning and Control\n23    BLS\n              Activities\n                                                    4.96       3.61         3.64          12.20\n              Prices and Cost of Living\n24    BLS\n              Cross-Cutting Activities\n                                                    0.79       0.35         0.36           1.5\n              Product Research and\n25    BLS\n              Certification Activities\n                                                    1.08       1.46         1.47           4.01\n\n26    BLS     Productivity Maintenance               0.2        0.2         0.63           1.03\n              Productivity and Technology\n27    BLS\n              Activities & Systems\n                                                    0.26       0.27         0.27           0.8\n              Quarterly Census of\n28    BLS     Employment and W ages                 5.39       7.12         6.88          19.39\n              (QCEW) Systems\n              Technology Management &\n29    BLS\n              Strategic Activities\n                                                    6.07       5.86         5.74          17.66\n              DOL - Agencies' General\n30    DOL\n              Support Systems\n                                                    78.46      98.53        99.22        276.21\n              DOL - Appeals Management\n31    DOL\n              System\n                                                    0.87       0.46          0.6           1.93\n              DOL - IT Infrastructure\n32    DOL\n              Modernization (DITIM)\n                                                    19.54      16.23        24.04         59.81\n\n\n                                                                    CPIC Needs Improvement\n                                               16                 Report No. 23-14-009-07-723\n\x0c                                         U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                                         Total\n                                                                                       FY 2010 to\n                                                FY 2010    FY 2011    FY 2012\n                                                                                        FY 2012\n     Agency       CPIC Investment                Actual     Actual     Actual\n                                                                                         Actual\n                                                  Cost       Cost       Cost\n                                                                                         Costs\n                                               (millions) (millions) (millions)\n                                                                                       (millions)\n33    DOL     DOL eGrants                           5.22        3.1         3.65          11.97\n              DOL-Wide Enterprise\n34    DOL\n              Architecture Program (EAP)\n                                                     2.3                                   2.3\n\n35    EBSA    EFAST2                                12.82      13.61        16.09         42.52\n              Mission Critical Core IT\n36    EBSA\n              Activities\n                                                    0.99       0.99         0.99           2.97\n              Mission Support Activities\n37    EBSA\n              (MSA)\n                                                    4.51       4.73         4.75          13.99\n              ETA Application Support\n38    ETA\n              Services\n                                                    3.87       3.73         3.84          11.44\n              ETA General and Customer\n39    ETA\n              Support\n                                                     0.9        0.8         0.89           2.59\n\n40    ETA     ETA Planning and Control              3.09       1.85         1.90           6.84\n              Enterprise Business Support\n41    ETA\n              System (EBSS)\n                                                    11.63      5.70         6.23          23.56\n              Foreign Labor Certification\n42    ETA\n              Systems (FLCS)\n                                                    11.30      10.75        9.33          31.38\n\n43    ETA     Job Corps LAN/W AN                    20.44      26.04        14.18         60.65\n              Job Corps Student Pay\n44    ETA     Allotment Management                  10.43      11.94        12.21         34.58\n              Information System (SPAMIS)\n              Unemployment Insurance\n45    ETA     Database Management                   3.98       3.69         4.27          11.94\n              System\n              MSHA Application Support\n46   MSHA\n              Services\n                                                    1.01       1.05         1.08           3.14\n              MSHA Distance Learning and\n47   MSHA\n              Web-based Training\n                                                    0.25       0.25         0.25           0.75\n              MSHA Enterprise\n48   MSHA     Architecture/Planning and             2.02        2.1         2.19           6.31\n              Control\n              MSHA Internet /Intranet\n49   MSHA\n              Maintenance\n                                                     0.2        0.2         0.21           0.61\n              MSHA Standardized\n50   MSHA\n              Information System (MSIS)\n                                                    6.55       6.98         6.53          20.06\n\n\n\n                                                                    CPIC Needs Improvement\n                                               17                 Report No. 23-14-009-07-723\n\x0c                                        U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                                        Total\n                                                                                      FY 2010 to\n                                               FY 2010    FY 2011    FY 2012\n                                                                                       FY 2012\n     Agency       CPIC Investment               Actual     Actual     Actual\n                                                                                        Actual\n                                                 Cost       Cost       Cost\n                                                                                        Costs\n                                              (millions) (millions) (millions)\n                                                                                      (millions)\n              Mine Accident, Injury, and\n51   MSHA\n              Employment System (MAIES)\n                                                   0.4        0.42         0.43           1.25\n              Acquisition Management\n52   OASAM\n              System (AMS)\n                                                   2.14       2.14         7.14          11.43\n              Application Maintenance and\n53   OASAM\n              Support\n                                                   1.45       1.52         1.56           4.53\n\n54   OASAM    Benefits.gov                         4.66       3.56          3.2          11.42\n\n55   OASAM    CIO Activities                       5.59       5.31          5.2           16.1\n\n56   OASAM    Computer Security Tools               0         0.76         0.93           1.69\n              Customer Service\n57   OASAM    Modernization Program                             2           4.9           6.9\n              (CSMP)\n              Departmental E-Business\n58   OASAM\n              Suite (DEBS)\n                                                   1.3        3.08         2.83           7.21\n              Disaster Assistance\n59   OASAM\n              Improvement Plan\n                                                   0.43       0.41         0.12           0.96\n              E-Property Management and\n60   OASAM\n              Inventory Initiative\n                                                   0.5        0.51         0.52           1.53\n\n61   OASAM    E-Rulemaking                         0.69       0.23         0.27           1.18\n              Electronic Capital Planning\n62   OASAM    and Investment Control               0.2         0.2         0.23           0.63\n              (eCPIC) System\n              General System and\n63   OASAM\n              Customer Support\n                                                   2.98       3.09          3.2           9.27\n\n64   OASAM    Grants.gov                           0.18       0.18         0.17           0.53\n\n65   OASAM    HR Line of Business                  1.87       1.53          3.9           7.3\n\n66   OASAM    HR Works                             1.36        8.7         4.13          14.19\n\n67   OASAM    HSPD-12                              5.83       4.62          2.8          13.25\n\n68   OASAM    IAE Loans and Grants                 0.07       0.08         0.11           0.26\n              ISS LOB FISMA Reporting\n69   OASAM\n              Tool - DOJ CSAM\n                                                   0.28       0.27         0.25           0.79\n\n                                                                   CPIC Needs Improvement\n                                              18                 Report No. 23-14-009-07-723\n\x0c                                       U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                                       Total\n                                                                                     FY 2010 to\n                                               FY 2010    FY 2011    FY 2012\n                                                                                      FY 2012\n     Agency       CPIC Investment               Actual     Actual     Actual\n                                                                                       Actual\n                                                 Cost       Cost       Cost\n                                                                                       Costs\n                                              (millions) (millions) (millions)\n                                                                                     (millions)\n              ISS LOB FISMA Reporting\n70   OASAM\n              Tool - CyberScope\n                                                    0        0.04         0.04           0.08\n              Integrated Acquisition\n71   OASAM\n              Environment\n                                                   0.18      0.15         0.15           0.48\n              LOB: Budget Formulation and\n72   OASAM\n              Execution\n                                                   0.1       0.11         0.11           0.31\n\n73   OASAM    LOB: Financial Management            0.08      0.08         0.08           0.23\n\n74   OASAM    LOB: Grants Management               0.11      0.08         0.17           0.36\n              LOB: Human Resource\n75   OASAM\n              Management\n                                                   0.07      0.07         0.07           0.2\n              Safety and Health Information\n76   OASAM    Management System                    1.32      1.61         0.78           3.71\n              (SHIMS)\n              Secretary's Information\n77   OASAM\n              Management System (SIMS)\n                                                   1.32       0.4         0.52           2.24\n\n78   OASAM    eProcurement                         1.88      1.22         1.22           4.32\n              ELAW S (Employment Laws\n79    OASP    Assistance for W orkers and          0.97      0.94         0.97           2.89\n              Small Businesses)\n              New Core Financial\n80   OCFO     Management                           15.6      23.06        23.29         61.94\n              System(NCFMS)\n\n81   OCFO     OCFO - eGov Travel Service           0.8        0.8         1.07           2.66\n\n82   OCFO     PeoplePower                           8          8            8             24\n\n83    ODEP    Disability.gov                       2.04      2.04         2.05           6.13\n              Federal Contractor\n84   OFCCP\n              Compliance System (FCCS)\n                                                   0.85      3.73         3.62           8.21\n              OFCCP Information System\n85   OFCCP\n              (OFIS)\n                                                   3.16      3.25         2.52           8.93\n\n86    OIG     e-OIG Information Systems            0.64      0.83         0.86           2.32\n              Electronic Labor Organization\n87    OLMS\n              Reporting System (e.LORS)\n                                                   2.07      2.15         2.22           6.45\n\n\n\n                                                                  CPIC Needs Improvement\n                                              19                Report No. 23-14-009-07-723\n\x0c                                        U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                                        Total\n                                                                                      FY 2010 to\n                                                  FY 2010    FY 2011    FY 2012\n                                                                                       FY 2012\n      Agency       CPIC Investment                 Actual     Actual     Actual\n                                                                                        Actual\n                                                    Cost       Cost       Cost\n                                                                                        Costs\n                                                 (millions) (millions) (millions)\n                                                                                      (millions)\n               OPA - DOL- National Contact\n88     OPA\n               Center Initiative (DOL-NCC)\n                                                      3.42    3.08         3.08           9.58\n               OPA - Enterprise\n89     OPA\n               Communications Initiative\n                                                       7      7.36         7.13          21.49\n\n90     OSHA    OSHA - Applications Support            2.35    2.64         2.50           7.49\n\n91     OSHA    OSHA - Architecture Support            0.43    0.09          1.2           1.72\n               OSHA - Expert Advisors (E-\n92     OSHA\n               Systems/E-Tools)\n                                                       0.5     0.5          0.5           1.5\n\n93     OSHA    OSHA - Help Desk                        1.6    1.21         2.35           5.16\n               OSHA - Information System\n94     OSHA\n               (OIS)\n                                                      16.16   15.97        10.78         42.91\n               OSHA -\n95     OSHA    Internet/Extranet/Intranet             1.35    1.71         1.59           4.65\n               Operations and Maintenance\n               OSHA - Measurement and\n96     OSHA\n               Reporting System (MARS)\n                                                       0.1     0.1          0.1           0.29\n               OSHA - Modernization of\n97     OSHA    Collecting Injuries and Illness                  0            0             0\n               Data\n               OSHA - Technical Information\n               Management System (TIMS),\n98     OSHA    formerly identified as the             0.39    0.44         0.44           1.27\n               Technical Information\n               Retrieval System (TIRS).\n               OSHA - Training,\n99     OSHA    Documentation, and                      0.6    0.63          0.6           1.83\n               Configuration Management\n               Black Lung Claims System\n100   OWCP\n               (BLCS)\n                                                      11.75   11.94        11.94         35.63\n               Energy Compensation\n101   OWCP\n               System (ECS)\n                                                      18.17   19.26        11.71         49.13\n               Integrated Federal\n102   OWCP     Employees' Compensation                23.97   18.92        18.92         61.81\n               System (iFECS)\n               Longshore Claims Systems\n103   OWCP\n               (LCS)\n                                                      1.43    1.46         1.44           4.32\n               OWCP Workers'\n104   OWCP     Compensation System                     0        0          0.01           0.01\n               (OWCS)\n\n\n                                                                   CPIC Needs Improvement\n                                                 20              Report No. 23-14-009-07-723\n\x0c                                          U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                                          Total\n                                                                                        FY 2010 to\n                                                 FY 2010    FY 2011    FY 2012\n                                                                                         FY 2012\n        Agency       CPIC Investment              Actual     Actual     Actual\n                                                                                          Actual\n                                                   Cost       Cost       Cost\n                                                                                          Costs\n                                                (millions) (millions) (millions)\n                                                                                        (millions)\n105      SOL     SOL - IT Modernization              4.64       5.02         4.88          14.53\n                 Information Technology and\n106      VETS\n                 Research Support\n                                                     0.73       0.75         0.78           2.25\n                 USERRA Information\n107      VETS\n                 Management System (UIMS)\n                                                     0.35       0.75         0.77           1.86\n\n108      VETS    VETS-100 Reporting                  0.26       0.63         0.96           1.85\n                 Back Wage Financial System\n109      WHD\n                 (BWFS)\n                                                     1.92       1.98         1.73           5.63\n                 Civil Money Penalty System\n110      WHD\n                 (CMPS)\n                                                     1.04       1.07          1.1           3.21\n                 Strategic Enforcement\n                 Achieves Compliance\n111      WHD\n                 System (SEACS) & Prevailing\n                                                                             0.47           0.47\n                 Wage System (PW S)\n                 Wage Determination System\n112      WHD\n                 (WDS)\n                                                     8.01       3.19         4.31          15.51\n                 Wage Hour Investigative\n113      WHD     Support and Reporting               1.84       1.89         1.76           5.49\n                 Database (W HISARD)\nTotal\n                                                  $463.6      $486.03      $480.66       $1,430.28\nCosts\n\n\n\n\n                                                                     CPIC Needs Improvement\n                                                21                 Report No. 23-14-009-07-723\n\x0c         U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n\n                                    CPIC Needs Improvement\n               22                 Report No. 23-14-009-07-723\n\x0c                                                   U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                                                           Exhibit 2\nInvestments Classified as Non-Major\n\n\n                                                                                                        FY 2010 to\n                              FY 2010                    FY 2011                   FY 2012\n                                                                                                         FY 2012\n     Investment 21                                                                                        Total\n                         DME 22       O&M 23         DME          O&M          DME          O&M           Costs\n                         (millions)   (millions)    (millions)   (millions)   (millions)   (millions)     (millions)\n       ETA -\n    Enterprise\n    Business                $0        $11.63           $0        $5.70           $0        $6.23         $23.56\n Support System\n      (EBSS)\n  BLS - Current\n   Employment\n                             0         7.07             0         5.71            0         5.71          18.49\n Statistics (CES)\n  Maintenance\n       BLS -\n   Technology\n Management &                0         6.07             0         5.86            0         5.74          17.66\n     Strategic\n     Activities\n  OASAM - CIO\n                             0         5.59             0         5.31            0         5.20           16.1\n     Activities\n BLS - Quarterly\n    Census of\n   Employment\n                             0         5.39             0         7.12            0         6.88          19.39\n   and Wages\n     (QCEW)\n     Systems\n DOL - Agencies'\n General Support                                        0        98.53            0        99.22         197.76\n     Systems\n    ETA - Job\n       Corps                                            0        26.04            0        14.18          40.21\n    LAN/WAN\n  OWCP - Black\n   Lung Claims                                          0        11.94            0        11.94          23.89\n System (BLCS)\n BLS - LABSTAT\n                                                        0         5.20            0         5.23          10.43\n  Maintenance\n\n21\n   All funding based on OMB Exhibit 53s from: September 10, 2012 (BY 2014), May 2, 2012 (BY 2013), and\nMay 24, 2011 (BY 2012).\n22\n   DME- Development, Modernization, and Enhancement\n23\n   O&M- Operations & Maintenance\n\n                                                                                     CPIC Needs Improvement\n                                                            23                     Report No. 23-14-009-07-723\n\x0c         U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n\n                                    CPIC Needs Improvement\n               24                 Report No. 23-14-009-07-723\n\x0c                                                  U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                                                        Exhibit 3\nFinancial Management Investments Classified as Non-major\n\n\n                                                                                                       FY 2010\n                             FY 2010                       FY 2011                FY 2012                 to\n     Investment 24                                                                                     FY 2012\n                                                                                                        Total\n                         DME          O&M           DME          O&M          DME          O&M          Costs\n                        (millions)   (millions)    (millions)   (millions)   (millions)   (millions)   (millions)\n  OWCP - Black\n   Lung Claims             $0        $11.75           $0        $11.94          $0        $11.94       $35.63\n System (BLCS)\n   WHD - Back\n Wage Financial             0         1.92             0         1.98            0         1.73         5.63\n System (BWFS)\n   WHD - Civil\n Money Penalty              0         1.04             0         1.07            0          1.1         3.21\n System (CMPS)\n   OASAM - E-\n     Property\n  Management                0         0.50             0         0.51            0         0.52         1.53\n  and Inventory\n     Initiative\n     OWCP -\n    Longshore\n                            0         1.43             0         1.46            0         1.44         4.32\n Claims Systems\n      (LCS)\n         Total                                                                                         $50.32\n\n\n\n\n24\n All funding based on OMB Exhibit 53s from: September 10, 2012 (BY 2014), May 2, 2012 (BY 2013), and\nMay 24, 2011 (BY 2012).\n\n                                                                                   CPIC Needs Improvement\n                                                           25                    Report No. 23-14-009-07-723\n\x0c         U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n\n                                    CPIC Needs Improvement\n               26                 Report No. 23-14-009-07-723\n\x0c                                               U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                                                   Exhibit 4\nInvestments Categorized as Not Applicable\n\n                                                                                                   FY 2010\n                             FY 2010                   FY 2011                   FY 2012              to\n                                                                                                   FY 2012\n Investments 25                    O&M                       O&M                       O&M\n                                  Steady                    Steady                    Steady        Total\n                       DME         State         DME         State        DME          State        Costs\n                     (millions)   (millions)   (millions)   (millions)   (millions)   (millions)   (millions)\n        DOL -\n      Agencies'\n       General          $0        $78.46          $0        $98.53          $0        $99.22       $276.21\n       Support\n       Systems\n     Technology\n     Management\n                         0          6.07           0          5.86           0          5.74        17.66\n      & Strategic\n       Activities\n\n        Total                                                                                      $293.87\n\n\n\n\n25\n All funding based on OMB Exhibit 53s from: September 10, 2012 (BY 2014), May 2, 2012 (BY 2013), and\nMay 24, 2011 (BY 2012).\n\n                                                                              CPIC Needs Improvement\n                                                       27                   Report No. 23-14-009-07-723\n\x0c         U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n\n                                    CPIC Needs Improvement\n               28                 Report No. 23-14-009-07-723\n\x0c                                               U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                                                   Exhibit 5\nInvestments Missing Significant Portions of CPIC Documentation\n\n                                                                                                   FY 2010\n                           FY 2010                   FY 2011                   FY 2012               to\n                                                                                                   FY 2012\n Investments 26                    O&M                       O&M                       O&M\n                                  Steady                    Steady                    Steady        Total\n                       DME         State         DME         State        DME          State        Costs\n                     (millions)   (millions)   (millions)   (millions)   (millions)   (millions)   (millions)\n   DOL \xe2\x80\x93 IT\n Infrastructure       $12.9        $6.64         $5.1       $11.13        $8.15       $15.88       $59.81\n Modernization\n   OASAM \xe2\x80\x93\n  Acquisition\n                       2.14           0          2.14           0          7.14           0         11.43\n Management\n     System\n\n      Total                                                                                        $71.24\n\n\n\n\n26\n All funding based on OMB Exhibit 53s from: September 10, 2012 (BY 2014), May 2, 2012 (BY 2013), and\nMay 24, 2011 (BY 2012).\n\n                                                                              CPIC Needs Improvement\n                                                     29                     Report No. 23-14-009-07-723\n\x0c         U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n\n                                    CPIC Needs Improvement\n               30                 Report No. 23-14-009-07-723\n\x0c              U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nAppendices\n\n\n\n\n\n                                         CPIC Needs Improvement\n                    31                 Report No. 23-14-009-07-723\n\x0c         U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n\n                                    CPIC Needs Improvement\n               32                 Report No. 23-14-009-07-723\n\x0c                                     U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                              Appendix A\nBackground\n\nDOL spends about $500 million annually on a portfolio of information technology (IT)\ninvestments that support its mission and the delivery of customer services. This level of\nspending requires DOL to develop and implement a comprehensive approach to\nresponsible management of these IT assets.\n\nDOL\xe2\x80\x99s integrated IT governance process is supported by the OCIO\xe2\x80\x99s IT Capital Planning\nand Investment Control (CPIC) Program. The CPIC Program uses the \xe2\x80\x9cSelect-Control-\nEvaluate\xe2\x80\x9d methodology to help program agencies and DOL\xe2\x80\x99s executive leadership\nselect the appropriate IT investments for inclusion in the DOL IT portfolio, control the\nongoing effective performance of those investments, and evaluate how well those\ninvestments achieve their intended results.\n\nIn 2000, GAO published an exposure draft of Information Technology Investment\nManagement: A Framework for Assessing and Improving Process Maturity (ITIM). Built\naround the Select-Control-Evaluate approach described in the Clinger-Cohen Act of\n1996, which established statutory requirements for IT management, the framework\nprovides a method for evaluating and assessing how well an agency is selecting and\nmanaging its IT resources. The exposure draft reflected accepted or best practices in IT\ninvestment management at that time, as well as the reported experience of federal\nagencies and other organizations in creating their own investment management\nprocesses.\n\nIn 2004, GAO issued an updated version of this exposure draft to take into account:\ncomments GAO had received; GAO\xe2\x80\x99s experiences evaluating several agencies\xe2\x80\x99\nimplementations of investment management processes and the lessons learned by\nthose agencies; and the importance of enterprise architecture (EA) as a critical frame of\nreference in making IT investment decisions.\n\nGAO asserted that using the framework to analyze an agency\xe2\x80\x99s IT investment\nmanagement processes provides: (1) a rigorous, standardized tool for internal and\nexternal evaluations of these processes; (2) a consistent and understandable\nmechanism for reporting the results of assessments; and (3) a road map that agencies\ncan follow in improving their processes.\n\nIn March 2013, we identified inconsistent cost estimating practices that caused a lack of\ncredible capital planning that may negatively affect management\xe2\x80\x99s decisions on IT\nbudgets and initiatives in a report titled Department's Information Technology Security\nProgram is Weakened by Deficiencies.\n\nDue to the criticality of IT investment management and the finding in the OIG report\nstated above, the OIG incorporated GAO\xe2\x80\x99s ITIM framework in its audit of DOL\xe2\x80\x99s\nIT investment management processes.\n\n\n\n                                                                CPIC Needs Improvement\n                                           33                 Report No. 23-14-009-07-723\n\x0c         U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n\n                                    CPIC Needs Improvement\n               34                 Report No. 23-14-009-07-723\n\x0c                                               U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                                                 Appendix B\nObjectives, Scope, Methodology, and Criteria\n\n\nObjective\n\nHas DOL established effective controls to manage the IT investment process?\n\nScope\n\nOur audit included DOL\xe2\x80\x99s portfolio of 113 27 IT investments reported to OMB for FYs 2010,\n2011, and 2012. Additional FY 2013 documentation was considered for revisions and\nfinalization of FY 2012 reporting, corrections, and key investment information that was not\nrecorded for the previous 3 fiscal years. The total funding reported to OMB for FYs 2010,\n2011, and 2012 totaled $1.43 billion. 28 In testing the IT investment portfolio, OIG examined\nthe applicable policies, procedures, and process controls DOL had in place and IT capital\nplanning processes, which included the electronic capital planning investment control\nsystem (eCPIC). OIG work was performed at DOL\xe2\x80\x99s National Office in Washington, DC.\n\nMethodology\n\nTo evaluate whether DOL has established effective controls to manage the IT\ninvestment process, we reviewed federal laws and regulations, along with DOL policies\nand procedures applicable to the CPIC process. We then selected a sample of 15 IT\ninvestments to use as case studies to determine if critical DOL processes had been\nimplemented in accordance with the OCIO\xe2\x80\x99s IT CPIC policy.\n\nWe selected the 15 investments to test using a detailed two-tier, risk-based approach.\nSpecifically, the first 7 investments were selected by applying 7 risk factors to the\nsample universe of 113 major and non-major IT investments. The 7 investments\nselected were assigned the most risk factors. These factors included: total FY funding,\nfunding trend increase/decrease/spike, investment phase, descriptions with statements\nincorporating terms for cloud/re-organization/IT funding, start dates with emphasis on\ninvestments over ten years, OCIO scorecard ratings that included more than 25 percent\nvariances, and OCIO scorecards with differing statements between the internal\nscorecard and OMB Exhibit 300 and 53 statements. The remaining 8 investments were\njudgmentally selected so that the widest varieties of investments were included in the\ntesting selection. The 15 investments selected represented 51 percent, or $725 million,\nof the total $1.43 billion in IT investments funded during FY 2010 through FY 2012.\n\nWe reviewed DOL\xe2\x80\x99s process for classifying major investments by obtaining a copy of its IT\nPortfolio, or Exhibit 53, for FY 2010 through FY 2012. We reviewed each of the investments\nin the portfolio and identified those investments meeting DOL\xe2\x80\x99s definition of a major\n\n\n27\n     Sources: OMB IT Dashboard and DOL eCPIC investment inventory, http://www.ITDashboard.gov.\n28\n     Source: DOL OMB Exhibit 53s for FY 2010, FY 2011, and FY 2012.\n\n                                                                              CPIC Needs Improvement\n                                                       35                   Report No. 23-14-009-07-723\n\x0c                                      U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\ninvestment. Those investments\xe2\x80\x99 identified as major were compared to DOL\xe2\x80\x99s listing of major\ninvestments and any exceptions were identified.\n\nWe evaluated DOL\xe2\x80\x99s progress in developing a mature investment management process\nusing GAO\xe2\x80\x99s ITIM Framework. We applied the framework by comparing all 13 elements of\nthe framework to the DOL\xe2\x80\x99s CPIC processes. Our assessment was supported by our\nreview of documentation, discussions with DOL personnel, and our analysis of 15 business\ncases provided in project management planning and OMB Exhibit 300 materials. Based on\nthe above information, we were able to assess the maturity of DOL\xe2\x80\x99s CPIC process for\nmanaging information technology investments.\n\nWe conducted our audit in accordance with generally accepted government auditing\nstandards for performance audits. Those standards require that we plan and perform the\naudit to obtain sufficient and appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objective. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our audit\nobjective.\n\nCriteria\n\nWe used the following criteria to accomplish our audit:\n\n   \xe2\x80\xa2\t   Clinger-Cohen Act of 1996, Public Law 104-106\n   \xe2\x80\xa2\t   Office of Management and Budget (OMB) Circular A-11\n   \xe2\x80\xa2\t   OMB Circular A-130 Revised, \xe2\x80\x9cManagement of Federal Information Resources\xe2\x80\x9d.\n   \xe2\x80\xa2\t   OMB Guidance on Exhibits 53 and 300 \xe2\x80\x93 Information Technology and E-\n\n        Government, 2013\n\n   \xe2\x80\xa2\t   OMB 25 Point Implementation Plan to Reform Federal Information Technology\n        Management, December 9, 2010\n   \xe2\x80\xa2\t   NIST Special Publication 800-65, Integrating IT Security into the Capital Planning\n        and Investment Control Process\n   \xe2\x80\xa2\t   GAO\xe2\x80\x99s Information Technology Investment Management (ITIM): A Framework for\n        Assessing and Improving Process Maturity (GAO-04-394G)\n   \xe2\x80\xa2\t   GAO\xe2\x80\x99s Information Technology; A Framework for Assessing and Improving\n\n        Enterprise Architecture Management, Version 1.1 (GAO-03-584G)\n\n   \xe2\x80\xa2\t   DOL Computer Security Handbook Edition 4.0\n   \xe2\x80\xa2\t   DOL Guide to Completing the FY 2013 OMB Exhibit 53, Version 1.0\n   \xe2\x80\xa2\t   DOL Guide to Completing the FY 2013 OMB Exhibit 300, Version 1.2\n   \xe2\x80\xa2\t   DOL FY13 IT Investment Review Requirements, 2-20-2013\n   \xe2\x80\xa2\t   OCIO Systems Development Life Cycle Management (SDLCM) Manual, Version\n        2.3\n   \xe2\x80\xa2\t   OCIO IT CPIC Guide: Managing IT Investments, Version 2.1\n   \xe2\x80\xa2\t   OCIO Earned Value Management Operational Guide, Version 1.7\n\n                                                                 CPIC Needs Improvement\n                                            36                 Report No. 23-14-009-07-723\n\x0c                                  U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                           Appendix C\nAcronyms and Abbreviations\n\n\nAGSS          Agency General Support System\n\nAMS           Acquisition Management System\n\nBLS           Bureau of Labor Statistics\n\nCBA           Cost-Benefit Analysis\n\nCPIC          Capital Planning Investment Control\n\nEA            Enterprise Architecture\n\nECI           Enterprise Communications Initiative\n\nDME           Development, Modernization, and Enhancement\n\nDITIM         Department of Labor IT Infrastructure Modernization\n\nDLMS          Department of Labor Manual Series\n\nDOL           Department of Labor\n\nEBSA          Employee Benefits Security Administration\n\nECI           Enterprise Communications Initiative\n\neCPIC         Electronic Capital Planning Investment Control System\n\nEFAST2        ERISA Filing Acceptance System 2\n\nERISA         Employee Retirement Income Security Act\n\nETA           Employment Training Agency\n\nEVM           Earned Value Management\n\nFY            Fiscal Year\n\nGAO           Government Accountability Office\n\nIT            Information Technology\n\n\n\n                                                             CPIC Needs Improvement\n                                           37              Report No. 23-14-009-07-723\n\x0c                              U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nITIM    Information Technology Investment Management\n\nLOB     Line of Business\n\nMSHA    Mine Safety and Health Administration\n\nMSIS    MSHA Standard Information System\n\nNCFMS   New Core Financial Management System\n\nNIST    National Institute of Standards and Technology\n\nO&M     Operations and Maintenance\n\nOASAM   Office of the Assistant Secretary for Administration and Management\n\nOIG     Office of Inspector General\n\nOCIO    Office of the Chief Information Officer\n\nOCFO    Office of the Chief Financial Officer\n\nOMB     Office of Management and Budget\n\nOPA     Office of Public Affairs\n\nOWCP    Office of Workers' Compensation Programs\n\nPIR     Post Implementation Review\n\nSDLCM   System Development Life Cycle Management\n\nSOL     Department of Labor Office of the Solicitor\n\nSP      Special Publication\n\nTMSA    Technical Management & Strategic Activities\n\nWBS     Work Breakdown Structure\n\nWDS     Wage Determination System\n\nWHD     Wage and Hour Division\n\n\n\n\n                                                         CPIC Needs Improvement\n                                    38                 Report No. 23-14-009-07-723\n\x0c                                                      U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                                                             Appendix D\n                                               29\nCIO Response to Draft Report\n\n                                                    Office of the Assistant Secretary\n           U.S. Department of Labor                 for Administration and Management\n                                                    Washington, D.C. 20210\n\n\n\n\n               DEC - ;;   ')I ,.,\n\n\n\n\n             MEMORANDUM FOR ELLIOT P. LEWIS\n                            Assistant Inspector General ~dit                            ~\n\n\n             FROM:                    EDWARD c. HUGLERC              .cf!          ~\n                                      Deputy Assistant Secretary for Operat ons\n\n             SUBJECT:                 Management' s Response to the Office of the Inspector General Draft\n                                      Report entitled: Improvements Needed to DOL's Capital Planning and\n                                      Investment Controls for Managing Information Technology\n                                      Investments, Report No. 23-14-009-07-723\n\n             This responds to the above-described draft report, dated November 29, 2013. The stated\n             objective of the audit was to determine whether the Department has established effective controls\n             to manage the IT investment process.\n\n             At the outset, management acknowledges that any process can be improved and we will take\n             appropriate action to update Department-wide policies, processes and procedures to address the\n             fi ndings outlined in the draft report. During the audit, management expressed concern about the\n             portrayal of IT investment management as a whole- including the nature, severity and\n             ramifications of the findings. For the most part, the auditors have accommodated our input in the\n             draft report. We appreciate the consideration.\n\n             With the forgoing in mind, management accepts the recommendations in the audit repo11 and\n             will take the following actions.\n\n            Recommendation 1. Peiform a DOL-wide review ofthe IT Portfolio and lite Investment\n            M:anagement Process to verify classifictltion of all IT investments.\n\n            Response: Management accepts this recommendation and will verify the classification of all\n            DOL IT investments by Q3 FY14.\n\n            Recommendation 2. Update IT capital planning and investment control policies, procedures\n            and documentation to reflect ami clarify: (a) Use oftlte capital planning tool and (b) the\n            comprehensiveness of the investment numagement process and enforcement to maintain\n            required eCPIC documentation for critical processes involving t!te select, control, a1UI\n            evaluate pltases.\n\n            Response: Management accepts this recommendation and will update DOL CPIC\n            documentation and clarify the intended usage of eCPIC by Q4 FY14.\n\n\n\n\n29\n     OASAM\xe2\x80\x99s Deputy Assistant Secretary for Operations responded for the CIO.\n\n                                                                                          CPIC Needs Improvement\n                                                               39                       Report No. 23-14-009-07-723\n\x0c                                       U. S. Department of Labor \xe2\x80\x93 Office of Inspector General \n\n\n\n\n\nRecommendation 3. Implement tm investment management framework consistent with NIST\nSP 800-65 and wlticlt aligns with GAO's 111M maturity framework to strengtherz DOL 's\napproach to IT investment management.\n\nResponse: Management accepts this recommendation and will review and consider the key\npractices specified in GAO' s ITIM Maturity Framework for inclusion in DOL's IT investment\nmanagement processes with emphasis on Stages 2 and 3, as inferred from the discussion of\nFinding 2 by Q3 FY14.\n\nAs always, we appreciate the opportunity to provide input and look forward to the continued\ncollaboration with your office. If you have any questions or comments please contact me at\n(202) 693-4040 or have your staff contact Pete Sullivan, Director IT Governance, at\nSullivan.Peter@dol.gov or (202) 693-4211.\n\ncc:    T. Michael Kerr, ASAM, CIO\n       Dawn Leaf: Deputy CIO\n\n\n\n\n                                               2\n\n\n\n\n                                                                           CPIC Needs Improvement\n                                                40                       Report No. 23-14-009-07-723\n\x0c                                     U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                              Appendix E\nAcknowledgements\n\nKey contributors to this report were Keith Galayda (Audit Director), Ethan Iczkovitz,\nChristian Arsenault, Victor Chan, Micaela Jimenez, and Tia Salmon.\n\n\n\n\n                                                                CPIC Needs Improvement\n                                            41                Report No. 23-14-009-07-723\n\x0c         U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n\n                                    CPIC Needs Improvement\n               42                 Report No. 23-14-009-07-723\n\x0cTO REPORT FRAUD, WASTE, OR ABUSE, PLEASE CONTACT:\n\n\nOnline:            http://www.oig.dol.gov/hotlineform.htm\nEmail:             hotline@oig.dol.gov\n\nTelephone:         1-800-347-3756\n                   202-693-6999\n\nFax:               202-693-7020\n\nAddress:           Office of Inspector General\n                   U.S. Department of Labor\n                   200 Constitution Avenue, N.W.\n                   Room S-5506\n                   Washington, D.C. 20210\n\x0c"